Network News

X My Profile
View More Activity

Anxiety at the Internet Cafe

As I wrote in a blog posting last week, I had to log on a few times during my vacation. Part of that Internet use involved checking my Gmail account--and anytime you're logging on from a strange computer, you have to worry if the computer isn't logging any passwords.

It's not that Web-cafe operators are out to steal their customers' identities. But you can't assume that they're all adept at securing their machines from other people's malware.

One way to be sure no evil software is afoot is to run only your own, by booting the machine off a Linux CD. But many Internet cafes don't allow that. You may not even able to plug in a USB key to run your own Web browser (and, say, avoid having to puzzle your way through a Chinese-language version of Internet Explorer).

What I did instead was to try out a technique I learned about from a post at the Lifehacker blog last year: Type a character or two of a password, then click elsewhere in the browser and type a random character or two before clicking back in the password field to type the next character, repeating this exercise until the entire password has been entered. (That post, in turn, linked back to a two-page paper [PDF] by two Microsoft researchers.)

This way, any program recording each tap of the keyboard would see a lengthy string of real and junk characters unless it also tracked cursor position and focus. But why would the hypothetical criminal bother going to that effort when enough other people will type in passwords without obscuring them?

Put it this way: You don't need a great car alarm if you avoid leaving valuables visible in your car while other vehicles on the same block have cell phones and iPods left on back seats.

(Just to be sure, though, I changed the Gmail password when I got home.)

Got any other suggestions on how to log on securely far from home? Please share in the comments!

By Rob Pegoraro  |  June 18, 2007; 7:13 AM ET
Categories:  Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Dumb Quote of the Day
Next: A Few Things I Don't Know

Comments

Another solution to this dilemma is to use the On-Screen Keyboard application in Windows. (Select Start/Run, then type 'OSK', or navigate to Start/Programs/Accessories/Accessibility/On-Screen Keyboard). This application allows you to enter text by using the mouse only.

Posted by: Noremac | June 18, 2007 8:46 AM | Report abuse

I use http://keepass.info/ that allows you to cut and paste your username and password to the corresponding fields. It is even possible to open the website from the application so you don't have to type it. Also copy and paste can be activated with a click instead of the keyboard, reducing the chances for a keylogger to steal your username/password combination. As you mention while in a public computer it may not be possible to use your own usb so my solution would not work...

Posted by: Arturo Fonseca | June 18, 2007 10:36 AM | Report abuse

re: the On-Screen Keyboard.. It's not a secure method of inputting a password. Read the two-page PDF paper by the Microsoft researchers Rob linked to. The relevant quote: "Unfortunately [the On-Screen Keyboard] emulates keystrokes and sends them to the application that has focus. Even the simplest keylogger will catch all of the entries from the On screen keyboard as though they were typed."

Posted by: Foot | June 18, 2007 10:37 AM | Report abuse

Actually that is NOT a good idea. To quote from the paper Rob linked to: "The same is not
true of the on-screen keyboard offered by Windows XP
Accessability tools (this is available under Programs-
Accessories-Accessability Tools-On Screen Keyboard).
Unfortunately this emulates keystrokes and sends them
to the application that has focus. Even the simplest
keylogger will catch all of the entries from the On screen
keyboard as though they were typed."

Posted by: drdreric | June 18, 2007 10:51 AM | Report abuse

I haven't tried but I think you can run KeePass from a zip window. Keep the app as a zip file on a USB drive for daily use and email a copy to yourself when you travel. Perhaps email a flavor of Zip also, just in case.

Sometimes google has problems with .exe attachments so you may need to change the extension in order to email.

Whatever, don't leave any temp files behind.

Posted by: Bud | June 18, 2007 2:00 PM | Report abuse

I am in favor of using my own wireless aircard on my own notebook computers. I also delete cookies everytime I start up the browser (assuming it's Internet Explorer). Also, I now avoid fun websites, like YouTube. And adult sites? NEVER. Think of an adult site like it's the Ebola virus.

Posted by: John A. Babb | June 18, 2007 2:01 PM | Report abuse

I saved a zip copy of keepass as an attachment to a draft in gmail. Once you get into gmail, you will have all your links and cut and paste passwords.

What's next, Bookmarks?

Posted by: Bud | June 18, 2007 2:39 PM | Report abuse

The best solution: just get a sidekickID and forward all your email to it. Why bother going to a public computer and worry if your password is secure or not. For some reason I thought China would have faster netspeed than United States. I read somewhere last year Japan has 6mbs and working over towards 9 mbts streaming. But again China ain't Japan.

Posted by: Rene | June 19, 2007 1:36 AM | Report abuse

There will always be a way to have your password stolen in a strange computer. The best solution would be an external device (e.g. a cell phone, with java) to scramble your password using CHAP so you can type a brand new hash code to the system.

Posted by: Carlos | June 19, 2007 8:06 PM | Report abuse

I like the approach of a disposable email account that you forward emails to so that you can read stuff when away and respond to important things.

But then you still have to sort through all the same emails when you get home. But it would be worse if your password were stolen.

Posted by: michael | June 20, 2007 1:34 PM | Report abuse

Open NotePad, type a series of characters, use the keyboard and mouse to cut, paste and delete until you have your username and password. Then paste them into the application.

Posted by: Lee | June 21, 2007 9:30 AM | Report abuse

I tried your method of typing my password a character or two at a time and going to another URL in between in order to check it out. It didn't work. When I came back, the characters I had typed in were gone.

Posted by: csd426 | June 21, 2007 10:47 AM | Report abuse

I tried your method of typing my password a character or two at a time and going to another URL in between in order to check it out. It didn't work. When I came back, the characters I had typed in were gone.

Posted by: csd426 | June 21, 2007 10:47 AM | Report abuse

I've installed "KeyScrambler" at home. Free. I assume it does what it says it does: 'scrambles' the key stroke at level so that it can't be recorded.

Posted by: John O | June 25, 2007 8:40 PM | Report abuse

csd426, you just need to click somewhere else in the same page to type in the filler characters.

Posted by: fstcat | June 26, 2007 6:30 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company